REMARKS 

The present application was filed on September 12, 1997 with claims 1-26. The Examiner 
rejected claims 1-26 under 35 U.S.C. §103 as being unpatentable over U.S. Patent No. 5,606,668 
to Shwed. After responses traversing the rejection, Applicants appealed the rejections. In an Appeal 
Decision dated January 14, 2004, the Board of Patent Appeals and Interferences upheld the 
rejections. 

In view of the Appeal Decision, Applicants filed a Request for Continued Prosecution along 
with an amendment that amended independent claims 1, 8, 12, 16, 17 and 22. Such an amendment 
was made in an effort to further clarify the subject matter of the invention and expedite the case 
through to issuance. 

In the present Office Action, the Examiner has made final: (i) the rejection of claims 1-26 
under 35 U.S.C. §102(e) as being anticipated by U.S. Patent No. 5,835,726 to Shwed et al. 
(hereinafter Shwed '726); and (ii) the rejection of claims 1-26 under 35 U.S.C. § 103(a) as being 
unpatentable over U.S. Patent No. 5,606,668 to Shwed (hereinafter Shwed 4 668). 

Applicants sincerely thank Examiner Revak for the opportunity to discuss the case in a 
telephone conference held on February 28, 2005 . After Applicants outlined their position, Examiner 
Revak recommended Applicants submit their remarks in a written response for his further 
consideration. The present response contains these remarks. 

In this response, Applicants again respectfully traverse the various § 102(e) and § 103(a) 
rejections for at least the following reasons. 

Regarding the §102(e) and §103(a) rejections of claims 1-26, Applicants will first reiterate 
below their remarks presented in their Amendment and Response to Office Action dated September 
3, 2004 (Section I), followed by remarks addressing the Examiner's latest comments in the 
outstanding final Office Action (Section II). 

I. Remarks Presented in Applicants' Previous Amendment and Response to Office Action 

Since both Shwed '726 (subject of the §102(e) rejection) and Shwed '668 (subject of the 
§103 (a) rejection) fail to teach or suggest all limitations of the claimed invention, Applicants will 
address the two grounds of rejection jointly below. 
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As mentioned above, Applicants previously amended independent claims 1, 8, 12, 16, 17 and 
22. More particularly, claims 1, 8, 12, 17 and 22 were amended to recite that a security policy 
comprises multiple rules . Independent claim 16 was amended to recite that a domain comprises at 
least one security policy and a security policy comprises multiple rules, and that a plurality of 
administrators are associated with the plurality of domains . 

Applicants amended the claimed invention to further make clear the distinction between a 
security policy and a rule. That is, a security policy comprises multiple rules . Thus, by way of 
example, independent claim 1 recites a method for validating a packet in a computer network, 
comprising the steps of: deriving a session key for said packet; selecting at least one of a plurality 
of security policies as a function of the session key, wherein a security policy comprises multiple 
rules; and using the selected at least one of the security policies in validating said packet. 

Thus, as is clearly recited, when a packet is received, for example, by a computer 
implementing the methodology, first a security policy is selected from among a plurality of security 
policies, then the security policy comprised of its multiple rules is used to validate the packet. Thus, 
the invention effectively provides a hierarchical rule selection procedure . That is, before a rule is 
applied to a particular packet, the appropriate security policy is first selected and then, a rule from 
the selected security policy is applied to the packet. 

Neither Shwed '726 nor Shwed '668 teach or suggest selecting a security policy having 
multiple rules from among a plurality of security policies, each having multiple rules. 

FIG. 3 of both Shwed references have been cited in support of the rejection. As column 4, 
lines 49-50, of Shwed '726 states "FIG. 3 shows the computer screen of the network administrator." 
Then, column 6, line 62, through column 7, line 11, of Shwed '726 go on to explain: 

FIG. 3 shows the computer screen 206 in FIG. 2 in more detail. The screen is broken 
into four windows, two smaller windows at the left side and two larger windows at the right 
side. Network objects and services are two aspects of the network which must be defined in 
the security method of the present invention. Window 304 is used to define network objects 
such as the workstations, gateways and other computer hardware connected to the system. 
It is also possible to group various devices together such as, for example, the finance 
department, the research and development department, the directors of the company. It is 
thus possible to control data flow not only to individual computers on the network, but also 
to groups of computers on the network by the appropriate placement of packet filters. This 
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allows the system operator have a great deal of flexibility in the managing of 
communications on the network. It is possible for example to have the chief financial officer 
as well as other higher ranking officials of the company such as the CEO and the directors 
able to communicate directly with the finance group, but filter out communications from 
other groups. It is also possible to allow electronic mail from all groups but to limit other 
requests for information to a specified set of computers. This allows the system operator to 
provide internal as well as external security for the network. The object definition would 
include the address of the object on the network, as well as a name or group whether the 
object is internal or external to the network, whether or not a packet filter has been installed 
on this object and a graphical symbol. The graphical symbol is used in connection with the 
rule base manager 302. 



However, this portion of Shwed '726 merely refers to the fact that a network administrator 
may specify different security rule sets for different business entities. However, as clearly explained 
at column 6, lines 42-45, a rule set specified by the network administrator is then processed by the 
packet filter generator 208 and the resulting code is transmitted to the appropriate packet filter in the 
network to perform the function that is desired. Then, as explained at column 9, lines 18-50, a 
packet entering the computer, at a particular connection, on which the packet filter resides is diverted 
to the packet filter, wherein the associated rule set is applied to validate the packet. 

Therefore, unlike the claimed invention, there are no steps in either Shwed reference that, 
upon receipt of a packet to be validated, first selects a security policy from among a plurality of 
security policies and then applies the rules associated with that particular policy. Shwed merely 
applies a rule from the single rule set associated with the packet filter residing on that computer. In 
fact, Shwed ' 726 clearly states at column 2, lines 1 -4, that a computer merely applies a given security 
policy to a packet and does not select a security policy from among a plurality of security policies, 
as in the claimed invention. That is, column 2, lines 1-4, of Shwed '726 states: 

Another object of the invention is to provide a generic packet filter module which is 
controlled by a set of instructions to implement a given security policy at a node to accept 
(pass) or reject (drop) the packet wherein the packet is passed only if it passage is 
preauthorized. (Underlining added for emphasis). 
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Again, while a network administrator using the Shwed system may take into account different 
departments and individuals with varying titles at an organization, there is no escaping the fact that 
a packet filter protecting one or more than one computer is going to apply only the given security 
policy embodied by the set of instructions programmed into the filter at the packet filter generator. 
There is no ability disclosed in the Shwed system to have a packet filter receive a packet, then select 
a security policy from among a plurality of security policies, and then apply the rule set associated 
with the selected policy. This is what the claimed invention is able to do, but not something that 
either Shwed reference can do . 

For at least the above reasons, Applicants respectfully assert that independent claims 1,8, 
12,17 and 22, and the claims which respectively depend therefrom, are patentable over both Shwed 
'726 and Shwed '668. 

Further, regarding independent claim 16, both Shwed references fail to teach or suggest the 
elements of claim 1 6 including a domain comprising at least one security policy and a security policy 
comprising multiple rules, and that a plurality of administrators are associated with the plurality of 
domains, wherein multiple rules are administered such that only an administrator for a given domain 
is permitted to modify rules of a security policy for that domain. 

Assuming, arguendo, that the Office Action's assertion on page 6 is accurate (which 
Applicants' do not believe that it is) and that Shwed discloses multiple administrators, no where does 
either Shwed reference teach or suggest that, among a plurality of administrators associated with a 
plurality of domains, only an administrator for a given domain is permitted to modify rules of a 
security policy for that domain , as in claim 16. 

For at least the above reasons, Applicants respectfully assert that independent claim 16 is 
patentable over both Shwed '726 and Shwed '668. 

II. Remarks Addressing Examiner's Latest Comments in Outstanding Final Office Action. 

Despite Applicants' sincere attempt to clearly point to the features of claims invention which 
are clearly distinguishable over both Shwed '726 and Shwed '668 (as reiterated above), the final 
Office Action fails to address such remarks. 
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That is, page 2 and 3 of the final Office Action state, in sum, that "a security policy is a 
collection of rules that dictate how the security policy is to be enforced." This rationale for 
maintaining the rejections fails to address one of the main arguments previously presented by 
Applicants, namely, that there is no ability disclosed in the Shwed system to have a packet filter 
receive a packet, then select a security policy from among a plurality of security policies, and then 
apply the rule set associated with the selected policy . 

That is, unlike the claimed invention, there are no set of steps taught in either Shwed 
reference that, upon receipt of a packet to be validated, first selects a security policy from among a 
plurality of security policies and then applies the rules associated with that particular policy. Shwed 
merely applies a given security policy to a packet and does not select a security policy from among 
a plurality of security policies , as in the claimed invention. 

Again, while a network administrator using the Shwed system may take into account different 
departments and individuals with varying titles at an organization, a packet filter protecting one or 
more than one computer is going to apply only the given security policy embodied bv the set of 
instructions programmed into the filter at the packet filter generator . 

So, whether a security policy associated with a packet filter of Shwed represents more than 
one rule, there is clearly no ability disclosed in the Shwed system to have a packet filter receive a 
packet, then select a security policy from among a plurality of security policies, and then apply the 
rule set associated with the selected policy. That is. there is no policy selection followed bv rule 
selection in a packet filter of Shwed . 

Thus, the Shwed references can not disclose "selecting at least one of a plurality of security 
policies as a function of the session key (data item), wherein a security policy comprises multiple 
rules, and using the selected at least one of the security policies in validating said packet," as recited 
in independent claims 1 , 1 7 and 22. Nor can the Shwed references disclose "designating a plurality 
of independent security policies, wherein a security policy comprises multiple rules, determining 
which security policy is appropriate for the packet, and validating the packet using at least a portion 
of the multiple rules of the determined security policy," as recited in independent claims 8 and 12. 

Furthermore, despite the Examiner's contention to the contrary, the Shwed references do not 
teach or suggest "segmenting a plurality of security policies into a plurality of domains, wherein a 
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domain comprises at least one security policy and a security policy comprises multiple rules, and 
further wherein a plurality of administrators are associated with the plurality of domains, and 
administering the multiple rules such that only an administrator for a given domain is permitted to 
modify rules of a security policy for that domain," as recited in independent claim 16. 

Even if one were to agree that Shwed discloses multiple administrators and multiple domains 
(which Applicants still do not agree with for at least the reasons given above), there is nothing taught 
nor suggested by Shwed, or argued by the Examiner, that supports "administering the multiple rules 
such that only an administrator for a given domain is permitted to modify rules of a security policy 
for that domain," as recited in independent claim 16. 

Accordingly, withdrawal of the § 1 02(e) and § 1 03(a) rejections of claims 1 -26 is respectfully 
requested. 



Respectfully submitted, 



Date: February 28, 2005 




William E. Lewis / 
Attorney for Applicant(s)^- 
Reg. No. 39,274 
Ryan, Mason & Lewis, LLP 
90 Forest Avenue 
Locust Valley, NY 11560 
(516) 759-2946 
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